Windows 10 1903, Windows Server 1903 to drop password expiration requirements in proposed security guidelines

Kip Kniskern

Windows 10 Logo Generic Featured Image Hero

Today on the Microsoft Security Guidance blog, the company has published an explanation of its draft release of its security configuration baseline settings for Windows 10 1903 and Windows Server 1903. This document sets guidelines for Group Policy baseline settings, and with this latest draft there are some significant changes. Among the most noteworthy is a change to no longer set password expiration policies that require “periodic password changes,” a long standing baseline that Microsoft says has become “an ancient and obsolete mitigation of very low value.”

The blog post goes on to explain why Microsoft is dropping the password expiration policy, noting first that “we are not proposing changing requirements for minimum password length, history, or complexity:”

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

While the baseline guidelines are dropping the outdated expiration policy, the blog post also notes that “we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines,” and notes that Azure AD password protection and multi-factor authenitcaion are much better alternatives.

In addition to the news about password expiration, default disabling of built in Guest and Administrator accounts are also being proposed for elimination.

Note that removing these settings from the baseline would not mean that we recommend that these accounts be enabled, nor would removing these settings mean that the accounts will be enabled. Removing the settings from the baselines would simply mean that administrators could now choose to enable these accounts as needed.

The proposed guidelines are just that, proposed, and interested parties can download the draft and comment via the blog post.